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O ■ Abstract. A channel machine consists of a finite controller together with several fifo 

channels; the controller can read messages from the head of a channel and write messages 
to the tail of a channel. In this paper, we focus on channel machines with insertion 
■ errors, i.e., machines in whose channels messages can spontaneously appear. Such devices 

^\ ' have been previously introduced in the study of Metric Temporal Logic. We consider the 

C^) . termination problem: are all the computations of a given insertion channel machine finite? 

We show that this problem has non-elementary, yet primitive recursive complexity. 

(N 

(N 
O . 

0^ ■ 1. Introduction 

Many of the recent developments in the area of automated verification, both theoretical 
and practical, have focussed on infinite-state systems. Although such systems are not, in 
general, amenable to fully algorithmic analysis, a number of important classes of models 
with decidable problems have been identified. Several of these classes, such as Petri nets, 
process algebras, process rewrite systems, faulty channel machines, timed automata, and 
many more, are instances of well-structured transition systems, for which various problems 
are decidable — see [7] for a comprehensive survey. 

Well-structured transition systems are predicated on the existence of 'compatible well- 
quasi orders', which guarantee, for example, that certain fixed-point computations will 
terminate, etc. Unfortunately, these properties are often non-constructive in nature, so 
that although convergence is guaranteed, the rate of convergence is not necessarily known. 
As a result, the computational complexity of problems involving well-structured transition 
systems often remains open. 
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In this paper, we are interested in a particular kind of well-structured transition systems, 
known as faulty channel machines. A channel machine (also known as a queue automaton) 
consists of a finite-state controller equipped with several unbounded fifo channels (queues, 
buffers). Transitions of the machine can write messages (letters) to the tail of a channel 
and read messages from the head of a channel. Channel machines can be used, for example, 
to model distributed protocols that communicate asynchronously. 

Channel machines, unfortunately, are easily seen to be Turing powerful [3], and all 
non-trivial verification problems concerning them are therefore undecidable. In [TJ [61 [U [2] , 
Abdulla and Jonsson, and Finkel et al. independently introduced lossy channel machines 
as channel machines operating over an unreliable medium; more precisely, they made the 
assumption that messages held in channels could at any point vanish nondeterministically. 
Not only was this a compelling modelling assumption, more adequately enabling the rep- 
resentation of fault-tolerant protocols, for example, but it also endowed the underlying 
transition systems of lossy channel machines with a well-structure, thanks to Higman's 
lemma [8]. As a result, several non-trivial problems, such as control-state reachability, are 
decidable for lossy channel machines. 

Abdulla and Jonsson admitted in [1] that they were unable to determine the complexity 
of the various problems they had shown to be decidable. Such questions remained open 
for almost a decade, despite considerable research interest in the subject from the scientific 
community. Finally, Schnoebelen showed in [16] that virtually all non-trivial decidable 
problems concerning lossy channel machines have non-primitive recursive complexity. This 
result, in turn, settled the complexity of a host of other problems, usually via reduction 
from reachability for lossy channel machines. Recently, the relevance of the lossy channel 
model was further understood when it was linked to a surprisingly complex variant of Post's 
correspondence problem [5]. 

Other models of unreliable media in the context of channel machines have also been 
studied in the literature. In [4], for example, the effects of various combinations of insertion, 
duplication, and lossiness errors are systematically examined. Although insertion errors are 
well-motivated (as former users of modems over telephone lines can attest!), they were 
surprisingly found in [3] to be theoretically uninteresting: channels become redundant, 
since read- and write-transitions are continuously enabled (the former because of potential 
insertion errors, the latter by assumption, as channels are unbounded). Consequently, most 
verification problems trivially reduce to questions on finite automata. 

Recently, however, slightly more powerful models of channel machines with insertion 
errors have appeared as key tools in the study of Metric Temporal Logic (MTL). In |13}ll4j . 
the authors showed that MTL formulas can capture the computations of insertion channel 
machines equipped with primitive operations for testing channel emptiness. This new class 
of faulty channel machines was in turn shown to have a non-primitive recursive reachability 
problem and an undecidable recurrent control-state reachability problem. Consequently, 
MTL satisfiability and model checking were established to be non-primitive recursive over 
finite words |13| . and undecidable over infinite words [14J. 

Independently of Metric Temporal Logic, the notion of emptiness testing, broadly con- 
strued, is a rather old and natural one. Counter machines, for instance, are usually assumed 
to incorporate primitive zero-testing operations on counters, and likewise pushdown au- 
tomata are able to detect empty stacks. Variants of Petri nets have also explored emptiness 
testing for places, usually resulting in a great leap in computational power. In the context 
of channel machines, a slight refinement of emptiness testing is occurrence testing, checking 
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that a given channel contains no occurrence of a particular message, as defined and studied 
in [T3] • Emptiness and occurrence testing provide some measure of control over insertion 
errors, since once a message has been inserted into a channel, it remains there until it is 
read off it. 

Our main focus in this paper is the complexity of the termination problem for insertion 
channel machines: given such a machine, are all of its computations finite? We show that 
termination is non-elementary, yet primitive recursive. This result is quite surprising, as 
the closely related problems of reachability and recurrent reachability are respectively non- 
primitive recursive and undecidable. Moreover, the mere decidability of termination for 
insertion channel machines follows from the theory of well-structured transition systems, 
in a manner quite similar to that for lossy channel machines. In the latter case, however, 
termination is non-primitive recursive, as shown in [16]. Obtaining a primitive recursive 
upper bound for insertion channel machines has therefore required us to abandon the well- 
structure and pursue an entirely new approach. 

On the practical side, one of the main motivations for studying termination of insertion 
channel machines arises from the safety fragment of Metric Temporal Logic. Safety MTL 
was shown to be decidable in [15], although no non-trivial bounds on the complexity could 
be established at the time. It is not difficult, however, to show that (non-)termination for 
insertion channel machines reduces (in polynomial time) to satisfiability for Safety MTL; the 
latter, therefore, is also non-elementary. We note that in a similar vein, a lower bound for 
the complexity of satisfiability of an extension of Linear Temporal Logic was given in |10j . 
via a reduction from the termination problem for counter machines with incrementation 
errors. 

2. Decision Problems for Faulty Channel Machines: A Brief Survey 

In this section, we briefly review some key decision problems for lossy and insertion 
channel machines (the latter equipped with either emptiness or occurrence testing). Apart 
from the results on termination and structural termination for insertion channel machines, 
which are presented in the following sections, all results that appear here are either known or 
follow easily from known facts. Our presentation is therefore breezy and terse. Background 
material on well-structured transition systems can be found in [7J. 

The reachability problem asks whether a given distinguished control state of a channel 
machine is reachable. This problem was shown to be non-primitive recursive for lossy 
channel machines in [16] ; it is likewise non-primitive recursive for insertion channel machines 
via a straightforward reduction from the latter [13] . 

The termination problem asks whether all computations of a channel machine are 
finite, starting from the initial control state and empty channel contents. This problem 
was shown to be non-primitive recursive for lossy channel machines in [16]. For insertion 
channel machines, we prove that termination is non-elementary in Section S] and primitive 
recursive in Section [5j 

The structural termination problem asks whether all computations of a channel machine 
are finite, starting from the initial control state but regardless of the initial channel contents. 
This problem was shown to be undecidable for lossy channel machines in [12] . For insertion 
channel machines, it is easy to see that termination and structural termination coincide, so 
that the latter is also non-elementary primitive-recursive decidable. 
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Figure 1: Complexity of decision problems for faulty channel machines. 



Given a channel machine S and two distinguished control states p and q of <S, a response 
property is an assertion that every p state is always eventually followed by a q state in 
any infinite computation of S. Note that a counterexample to a response property is a 
computation that eventually visits p and forever avoids q afterwards. The undecidability 
of response properties for lossy channel machines follows easily from that of structural 
termination, as the reader may wish to verify. 

In the case of insertion channel machines, response properties are decidable, albeit at 
non-primitive recursive cost (by reduction from reachability). For decidability one first 
shows using the theory of well-structured transition systems that the set of all reachable 
configurations, the set of ^-configurations, and the set of configurations that have infinite 
(/-avoiding computations are all effectively computable. It then suffices to check whether 
their mutual intersection is empty. 

The recurrence problem asks, given a channel machine and a distinguished control state, 
whether the machine has a computation that visits the distinguished state infinitely often. 
It is undecidable for lossy channel machines by reduction from response, and was shown to 
be undecidable for insertion channel machines in |14j . 

Finally, CTL and LTL model checking for both lossy and insertion channel machines 
are undecidable, which can be established along the same lines as the undecidability of 
recurrence. 

These results are summarised in Figure [TJ 

3. Definitions 

A channel machine is a tuple S = {Q, init, X, C, A), where Q is a finite set of control 
states, init £ Q is the initial control state, X is a finite channel alphabet, C is a finite set of 
channel names, and ACQxLxQis the transition relation, where L = {c\a, c?a, c=0, a^c : 
c G C, a £ X} is the set of transition labels. Intuitively, label c\a denotes the writing of 
message a to tail of channel c, label cla denotes the reading of message a from the head 
of channel c, label c=0 tests channel c for emptiness, and label a^c tests channel c for the 
absence (non-occurrence) of message a. 

We first define an error-free operational semantics for channel machines. Given S as 
above, a configuration of S is a pair (q, U), where q € Q is the control state and U € (X*) 
gives the contents of each channel. Let us write Conf for the set of possible configurations 
of S. The rules in A induce an L-labelled transition relation on Conf, as follows: 

(1) (q,c\a,q') € A yields a transition (q,U) —> (q',U'), where U'(c) = U(c)-a and 
U'{d) = U{d) for d ^ c. In other words, the channel machine moves from control 
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state q to control state q' , writing message a to the tail of channel c and leaving all 
other channels unchanged. 

(2) (q,c?a,q') € A yields a transition (q,U) —> (q',U ! ), where U(c) = a-U'(c) and 
U'(d) = U(d) for d ^ c. In other words, the channel machine reads message a from 
the head of channel c while moving from control state q to control state q' , leaving 
all other channels unchanged. 

(3) (g, c=0, </) € A yields a transition (q,U) — > (q',U), provided U(c) is the empty 
word. In other words, the transition is only enabled if channel c is empty; all channel 
contents remain the same. 

(4) (q,a£c,q') £ A yields a transition (q,U) (q',U), provided a does not occur 
in U(c). In other words, the transition is only enabled if channel c contains no 
occurrence of message a; all channels remain unchanged. 

If the only transitions allowed are those listed above, then we call S an error-free 
channel machine. This machine model is easily seen to be Turing powerful [3j. As discussed 
earlier, however, we are interested in channel machines with (potential) insertion errors; 
intuitively, such errors are modelled by postulating that channels may at any time acquire 
additional messages interspersed throughout their current contents. 

For our purposes, it is convenient to adopt the lazy model of insertion errors, given 
next. Slightly different models, such as those of [HE], have also appeared in the literature. 
As the reader may easily check, all these models are equivalent insofar as reachability and 
termination properties are concerned. 

The lazy operational semantics for channel machines with insertion errors simply aug- 
ments the transition relation on Conf with the following rule: 

(5) (q, c?a, q') € A yields a transition (q, U) (q ; , U). In other words, insertion errors 
occur 'just in time', immediately prior to a read operation; all channel contents 
remain unchanged. 

The channel machines defined above are called insertion channel machines with occur- 
rence testing, or ICMOTs. We will also consider insertion channel machines with emptiness 
testing, or ICMETs. The latter are simply ICMOTs without any occurrence-testing tran- 
sitions (i.e., transitions labelled with a^c). 

A run of an insertion channel machine is a finite or infinite sequence of transitions of 

the form uq cr\ — l -* . . . that is consistent with the lazy operational semantics. The run 
is said to start from the initial configuration if the first control state is init and all channels 
are initially empty. 

Our main focus in this paper is the study of the complexity of the termination problem: 
given an insertion channel machine S, are all runs of <S starting from the initial configuration 
finite? 

4. Termination is Non-Elementary 

In this section, we show that the termination problem for insertion channel machines — 
ICMETs and ICMOTs — is non-elementary. More precisely, we show that the termination 
problem for ICMETs of size n in the worst case requires time at least 2f|~0(log n)Q Note 
that the same immediately follows for ICMOTs. 



The expression 2ffm, known as tetration, denotes an exponential tower of 2s of height m. 
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Our proof proceeds by reduction from the termination problem for two-counter ma- 
chines in which the counters are tetrationally bounded; the result then follows from standard 
facts in complexity theory (see, e.g., [9]). 

Without insertion errors, it is clear that a channel machine can directly simulate a 
two-counter machine simply by storing the values of the counters on one of its channels. 
To simulate a counter machine in the presence of insertion errors, however, we require 
periodic integrity checks to ensure that the representation of the counter values has not 
been corrupted. Below we give a simulation that follows the 'yardstick' construction of 
Meyer and Stockmeyer \17\ lllj: roughly speaking, we use an m-bounded counter to check 
the integrity of a 2 m -bounded counter. 

Theorem 4.1. The termination problem for ICMETs and ICMOTs is non- elementary. 

Proof. Let us say that a counter is m-bounded if it can take values in {0, 1, . . . , m — 1}. We 
assume that such a counter u comes equipped with procedures Inc(u), Dec(w), Reset(m), 
and IsZero(u), where Inc and Dec operate modulo m, and increment, resp. decrement, the 
counter. We show how to simulate a deterministic counter machine M of size n equipped 
with two 2f|~n-bounded counters by an ICMET S of size 2°( n ). We use this simulation to 
reduce the termination problem for M. to the termination problem for S. 

By induction, assume that we have constructed an ICMET <S& that can simulate the 
operations of a 2ff/c-bounded counter u\.. We assume that correctly implements the 
operations iNC(ufc), DEC(itfc), Reset(u/ c ), and IsZERO(tifc) (in particular, we assume that 
the simulation of these operations by is guaranteed to terminate). We describe an 
ICMET <Sfc + i that implements a 2^(k + l)-bounded counter u^+i- Sk+i incorporates Sk, 
and thus can use the above-mentioned operations on the counter as subroutines. In 
addition, Sk+i has two extra channels c and d on which the value of counter u^+i is stored 
in binary. We give a high-level description. 

We say that a configuration of Sk+i is clean if channel c has size 2^k and channel d 
is empty. We ensure that all procedures on counter Uk+i operate correctly when they are 
invoked in clean configurations of Sk+i, and that they also yield clean configurations upon 
completion. In fact, we only give details for the procedure lNC(ufc+i) — see Figure [2j the 
others should be clear from this example. 

Since the counter Uk is assumed to work correctly, the above procedure is guaranteed 
to terminate, having produced the correct result, in the absence of any insertion errors on 
channels c or d. On the other hand, insertion errors on either of these channels will be 
detected by one of the two emptiness tests, either immediately or in the next procedure to 
act on them. 

The initialisation of the induction is handled using an ICMET Si with no channel (in 
other words, a finite automaton) of size 2, which can simulate a 2-bounded counter (i.e., a 
single bit). The finite control of the counter machine, likewise, is duplicated using a further 
channel-less ICMET. 

Using a product construction, it is straightforward to conflate these various ICMETs 
into a single one, S, of size exponential in n (more precisely: of size 2°(")). As the reader 
can easily check, Ai has an infinite computation iff S has an infinite run. The result follows 
immediately. ■ 
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Procedure lNC(ufc+i) 
RESET(lifc) 

repeat 

c!x ; dl(l — x) /* Increment counter Uk+i while transferring c to d */ 

lNC(«fc) 
until IsZERO(nfc) or x = 
while not IsZERO(iifc) do 

clx ; d\x /* Transfer remainder of c to d */ 

lNC(u fe ) 
endwhile 

test(c=0) /* Check that there were no insertion errors on c, otherwise halt */ 

repeat 

dlx ; c\x /* Transfer d back to c */ 

lNC(u fc ) 
until IsZERO(it fc ) 

test(d=0) /* Check that there were no insertion errors on d, otherwise halt */ 

return 

Figure 2: Procedure to increment counter Uk+i- Initially, this procedure assumes that 
counter Uk+i is encoded in binary on channel c, with least significant bit at 
the head of the channel; moreover, c is assumed to comprise exactly 2ff/c bits 
(using padding Os if need be). In addition, channel d is assumed to be initially 
empty. Upon exiting, channel c will contain the incremented value of counter 
Uk+i (modulo 2"fT(£: + 1)) in binary, again using 2f|-fc bits, and channel d will be 
empty. We regularly check that no insertion errors have occurred on channels c 
or d by making sure that they contain precisely the right number of bits. This 
is achieved using counter Uk (which can count up to 2f|~fc and is assumed to work 
correctly) together with emptiness tests on c and d. If an insertion error does 
occur during execution, the procedure will either halt, or the next procedure to 
handle channels c and d (i.e., any command related to counter u^+i) will halt. 

5. Termination is Primitive Recursive 

The central result of our paper is the following: 

Theorem 5.1. The termination problem for ICMOTs and ICMETs is primitive recursive. 
More precisely, when restricting to the class of ICMOTs or ICMETs that have at most k 
channels, the termination problem is in (k+l)-EXPSPACE. 

Proof. In what follows, we sketch the proof for ICMOTs, ICMETs being a special case of 
ICMOTs. Let us also assume that our ICMOTs do not make use of any emptiness tests; 
this restriction is harmless since any emptiness test can always be replaced by a sequence 
of occurrence tests, one for each letter of the alphabet, while preserving termination. 

Let S = (Q,init,T,,C,A) be a fixed ICMOT without emptiness tests; in other words, 
<S's set of transition labels is L = {c\a,c?a,a^c : c £ C, a G £}. Our strategy is as follows: 
we suppose that <S has no infinite runs, and then derive an upper bound on the length of the 
longest possible finite run. The result follows by noting that the total number of possible 
runs is exponentially bounded by this maximal length. 
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For a subset D C C of channels, we define an equivalence =d over the set Conf of 
configurations of <S as follows: 

(q, U) = D (q', U') iff q = q' and U(d) = U'(d) for every d £ D. 

Let us write Conf D to denote the set Conf /=£> of equivalence classes of Conf with 
respect to =d- Furthermore, given / :D-tNa 'bounding function' for the channels in D, 
let 

Conf f D = {[(q, U)] D £ Conf D : \U(d)\ < /(d) for every d € D} 
be the subset of Conf D consisting of those equivalence classes of configurations whose D- 
channels are bounded by /. As the reader can easily verify, we have the following bound 
on the cardinality 7^, of Conf^: 

7 ^<iQin(i s i+ i ) /(d) - 

deD 

Consider a finite run <7o o~\ — l -+ . . . * o~ n of S (with n > 1), where each o~i € Conf 
is a configuration and each Zj £ L is a transition label. We will occasionally write <7o <r n 
to denote such a run, where A = ^i • • • Jn-1 £ 

We first state a pumping lemma of sorts, whose straightforward proof is left to the 
reader: 

Lemma 5.2. Let D Q C be given, and assume that a a 1 (with A E L + ) is a run of S 
such that a =0 a' . Suppose further that, for every label a^c occurring in \, either c € D, 
or the label c\a does not occur in A. Then A is repeatedly firable from a, i.e., there exists 

an infinite run a =^ a' =4> a" => .... 

Note that the validity of Lemma 15.21 rests crucially on (the potential for) insertion 
errors. 

Let {wi)i<i< n be a finite sequence, and let < a < 1 be a real number. A set S is said 
to be a-frequent in the sequence (wi) if the set {i : Wi G S} has cardinality at least an. 

The next result we need is a technical lemma guaranteeing a certain density of repeated 
elements in an a-frequent sequence: 

Lemma 5.3. Let (wi)i<i< n be a finite sequence, and assume that S is a finite a-frequent 
set in (wi). Then there exists a sequence of pairs of indices ((ij, ij)}i<j< —^a— such that, 

for all j < 2{\s\+i) > we have ij < i'- < ij+i, i'j — ij < 2 ^ +1 ) , and Wi j = uij/. £ S. 

Proof. By assumption, {wi) has a subsequence of length at least an consisting exclusively of 
elements of S. This subsequence, in turn, contains at least rgrpi disjoint 'blocks' of length 
l^l + 1. By the pigeonhole principle, each of these blocks contains at least two identical 
elements from S, yielding a sequence of pairs of indices ((ij,i'j))i<j< an having all the 

required properties apart, possibly, from the requirement that i'- — u < ' — '-. Note also 
that there are, for now, twice as many pairs as required. 

Consider therefore the half of those pairs whose difference is smallest, and let p be the 
largest such difference. Since the other half of pairs in the sequence ((ij, ij)) have difference 
at least p, and since there is no overlap between indices, we have ^ • ■ p < n, from 

which we immediately derive that p is bounded by 2 ^^ +1 ^ , as required. This concludes the 
proof of Lemma 15.31 ■ 
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Recall our assumption that S has no infinite run, and let ir = o"o o\ . . . ^— > cr n 
be any finite run of 5, starting from the initial configuration; we seek to obtain an upper 
bound on n. 

Given a set D C C of channels, it will be convenient to consider the sequence [tt]d = 
([ci]r>)o<i<n of equivalence classes of configurations in ir modulo =o (ignoring the inter- 
spersed labelled transitions for now). 

Let / : C — > N and < a < 1 be given, and suppose that Conf^ is a-frequent in [ir]c, 
so that there are at least an occurrences of configuration equivalence classes in Conf^ along 
[ir\c- Recall that Conj q contains 7^ elements. Observe, by Lemma l5.2[ that no member of 
Conj "q can occur twice along [tt]d, otherwise S would have an infinite run. Consequently, 

n<^. (5.2) 

a 

We will now inductively build an increasing sequence = Do C D\ C . . . C D\q\ = C, 
as well as functions fi : D{ — > N and real numbers < on < 1, for < i < |C|, such that 
Confp_ is aj-frequent in [tt]^ for every i < \C\. 

The base case is straightforward: the set Conf^ = Conf® is clearly 1-frequent in [ir]®. 

Let us therefore assume that Conf^ D is a-frequent in [tt]d f° r some strict subset D of 
C and some / : D — > N and a > 0. We now compute -D' C C strictly containing D, 

rl 

f :D' -> N, and a' > such that Con/^, is a'-frequent in [7r]o/. 

Thanks to our induction hypothesis and Lemma 15.3} we obtain a sequence of pairs of 
configurations {{6j,8'j))i<j<hi where h = ° n — -, [0j]o = [9'Ad G Conf^, and such that 

- - 2(7 D +1) ' ' 

with each Aj G L + having length no greater than ^, for 1 < j < h. 

For each Xj, let OT.,- be the set of occurrence-test labels that occur at least once in 
Xj. Among these sets, let OT denote the one that appears most often. Note that there are 
2l s H c 1 different possible sets of occurrence-test labels, and therefore at least ^sf\u\ °f the 
OTj are equal to OT. 

Following a line of reasoning entirely similar to that used in Lemma [5.3lR we can deduce 
that ir contains at least 4 2 \s\-\c\ = 8 ( / + i" 2 |s|-|c| non-overlapping patterns of the form 

6' =U 9 =^> 9', 

where: 

• [0\ D = W]d G Conf f D and [9] D = [9'] D G Conf f D , 

2(7^+1) 



A, A G L + each have length no greater than 

g( 7 / + l)2ls|-|cr 

5 G L + has length no greater than — - — - , and 

the set of occurrence-test labels occurring in A and A in both cases is OT. 



2 Formally, we could directly invoke Lemma [5.31 as follows. Write the sequence of transition labels of ir as 
5oAi5iA2 ■ ■ ■ \h5h, with the Xi as above. Next, formally replace each instance of Xi whose set of occurrence- 
test labels is OT by a new symbol O; if needed, add dummy non-O symbols to the end of the sequence to 
bring its length up to n, and call the resulting sequence (wi). Finally, note that the singleton set {O} is 

2 l s l -KT n - fre q uent in ( w i>- 
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Consider such a pattern. Observe that A must contain at least one occurrence-test label 
atfic with c ^ D and such that the label c\a occurs in A, otherwise S would have an infinite 
run according to Lemma 15.21 Pick any such occurrence-test label and let us denote it a^c. 

We now aim to bound the size of channel c in the 9 configuration of our patterns. Note 
that since A and A contain the same set of occurrence-test labels, the label a^c occurs in A. 
That is to say, somewhere between configurations 9 and 9', we know that channel c did not 
contain any occurrence of a. On the other hand, an o was written to the tail of channel c 
at some point between configurations 9 and 9', since A contains the label cla. For that a to 
be subsequently read off the channel, the whole contents of channel c must have been read 
from the time of the c\a transition in A to the time of the a^c transition in A. Finally, note 
that, according to our lazy operational semantics, the size of a channel changes by at most 
1 with each transition. It follows that the size of channel c in configuration 9 is at most 

iai + i^i+ivi<^ +i)(4 : 8 - 2Ihmci) . 

Let D' = DU{c}, and define the bounding function f':D' -> N such that f'{d) = f(d) 

for all d € D, and f'(c) = ^ 7 ° +1 ^ 4 "^ 8 2 1. From our lower bound on the number of special 

rf 



patterns, we conclude that the set Conf D , is a'-frequent in [tt}d'^ where a' = — j +1 " 2 | S |.| C | ■ 

We now string everything together to obtain a bound on n, the length of our original 
arbitrary run ir. For convenience, let c\, c%, . . . , ciq\ be an enumeration of the channel names 
in C in the order in which they are picked in the course of our proof; thus Di = -Dj-i U {c{\ 
for 1 < % < \C\. Correspondingly, let Mj = fi(ci), for < i < |C|, with the convention that 
Mq = 1; it is easy to see that Mj is the maximum value of fi over Di, since the sequences 
(1d ) an d are monotonically increasing and decreasing respectively. 

From Equation 15.11 we easily get that 7^. G 0(|5|' 5 ' A;iri ), where |<S| is any reasonable 
measure of the size of our ICMOT S. Combining this with our expressions for /' and a' 

1 - ( \s\\ s ^ M ^ \ 

above, we obtain that Mj+i, — — G O I — — : — for < i < \C\ — 1. This, in turns, lets 



us derive bounds for 7^°' and aich which imply, together with Equation 15.21 that 

2 PQs\) 

n<2 2 ' 

where P is some polynomial (independent of S), and the total height of the tower of expo- 
nentials is \C\ + 2. 

The ICMOT S therefore has an infinite run iff it has a run whose length exceeds the 
above bound. Since the lazy operational semantics is finitely branching (bounded, in fact, by 
the size of the transition relation), this can clearly be determined in (|C|+1)-EXPSPACE, 
which concludes the proof of Theorem 15.11 ■ 

Theorems 14.11 and 15.11 immediately entail the following: 

Corollary 5.4. The structural termination problem — are all computations of the machine 
finite, starting from the initial control state but regardless of the initial channel contents? — is 
decidable for ICMETs and ICMOTs, with non- elementary but primitive-recursive complex- 
ity. 
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6. Conclusion 

The main result of this paper is that termination for insertion channel machines with 
emptiness or occurrence testing has non-elementary, yet primitive recursive complexity. 
This result is in sharp contrast with the equivalent problem for lossy channel machines, 
which has non-primitive recursive complexity. 

We remark that the set of configurations from which a given insertion channel machine 
has at least one infinite computation is finitely representable (thanks to the theory of well- 
structured transition systems), and is in fact computable as the greatest fixed point of the 
pre-image operator. The proof of Theorem l5.ll moreover, shows that this fixed point will be 
reached in primitive-recursively many steps. The set of configurations from which there is 
an infinite computation is therefore primitive-recursively computable, in contrast with lossy 
channel machines for which it is not even recursive (as can be seen from the undecidability 
of structural termination). 

Finally, another interesting difference with lossy channel machines can be highlighted 
by quoting a slogan from |16j : "Lossy systems with k channels can be [polynomially] encoded 
into lossy systems with one channel." We can deduce from Theorems 14.11 and 15.11 that any 
such encoding, in the case of insertion channels machines, would require non-elementary 
resources to compute, if it were to preserve termination properties. 
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